The Nonce-nce of Web Security: an Investigation of CSP Nonces Reuse

TL;DR

This paper investigates the reuse of CSP nonces across websites, revealing potential security vulnerabilities that could allow attackers to bypass XSS protections through nonce reuse and caching issues.

Contribution

It provides the first large-scale analysis of nonce reuse in the wild, identifying causes and security implications of nonce reuse in CSP implementations.

Findings

598 out of 2271 sites reuse nonces

Nonce reuse can enable XSS attack bypass

Nonce reuse often caused by server-side caching

Abstract

Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.